Fixedfloat, a non-custodial cryptocurrency exchange that allows users to trade digital assets without identity verification, has fallen victim to a major cyber attack resulting in the loss of over 400 bitcoins and more than 1,700 ether. Valued at current market prices, the stolen cryptocurrency totals close to $26 million.
The hack, which occurred earlier this month but was only recently disclosed by Fixedfloat, appears to have exploited vulnerabilities in the exchange’s security infrastructure. Blockchain analytics firms were able to identify the wallet addresses used by the hackers and track the subsequent movement of the stolen funds.
According to BlockFence, a blockchain security company, the stolen bitcoin was initially sent to a single address before being dispersed to various other wallets. The purloined ether was moved through a mixer called eXch in an attempt to obscure the trail, but addresses linked to the theft were labelled as “Fixedfloat drainer” by PeckShield, another blockchain forensics outfit.
A small portion of the stolen assets were transferred to the popular exchanges HitBTC and CoinSpot, PeckShield reported. The company said this suggests the hack may have been perpetrated by sophisticated cybercriminals aiming to cash out the funds.
Initially, Fixedfloat cited only “minor technical problems” when it abruptly shifted into maintenance mode following the breach. It was not until details of the full-scale hack emerged online that the company acknowledged the incident and its extent.
In a Twitter statement, Fixedfloat admitted “there was indeed a hack and theft of funds.” The company said it is working diligently to eliminate vulnerabilities, strengthen overall security, and aid investigations into the attack.
As a non-custodial exchange, Fixedfloat does not actually control or store user funds. Thus, the company maintains that client assets and balances remain unaffected by the hack, which only impacted its own operational wallets. Fixedfloat plans to honor all client obligations when services resume.
The platform’s website remains offline as staff work urgently to patch security flaws and restore functionality. No timeline has yet been provided for when normal trading activity may recommence.
A Non-Custodial, No-KYC Crypto Exchange
Fixedfloat distinguishes itself from most mainstream cryptocurrency exchanges by not mandating user identity verification or “know your customer” (KYC) checks. Account creation and trading on the platform can be conducted anonymously, requiring only an email address.
This approach appeals to users who prioritize privacy and wish to avoid disclosing personal information. However, the lack of KYC procedures also limits Fixedfloat’s ability to track or block suspicious transactions. Non-custodial architectures like Fixedfloat’s generally place greater security responsibilities on individual clients.
The exchange mainly facilitates trading between bitcoin, ether, and stablecoins using an automated market-making algorithm. Fixedfloat offers interest payments for allowing the platform to use client assets in its liquidity pool. Trades occur directly between counterparties through smart contracts.
As a non-custodial exchange, Fixedfloat never actually holds user cryptocurrency deposits. Instead, trades are settled on-chain using decentralized protocols. This helps provide users more control over their funds compared to centralized exchanges like Binance or Coinbase that manage deposits in custodial wallets.
However, non-custodial exchanges are still responsible for properly securing their own operational wallets, which were compromised in the Fixedfloat case. The company maintains hot wallets to cover anticipated user withdrawals, collateralize trades, and pay interest. Though these corporate funds are separate from client holdings, their loss still impacts exchange users.
The Fallout of the Hack
While Fixedfloat has stated that its clients remain unaffected beyond the trading outage, the hack could still damage confidence in the platform. The exchange’s delayed acknowledgement of the breach may raise transparency concerns as well.
Trust is crucial for any financial provider, especially in a sector rife with cybercrime like cryptocurrency. Users will likely watch Fixedfloat’s response closely and reevaluate its security posture before resuming activity.
Some may balk at Fixedfloat’s no-KYC policy in the wake of this hack. KYC rules force users to verify identity but also allow exchanges to freeze suspicious accounts. Their absence eliminated a key safeguard that may have stopped the hacker from cashing out.
However, increased regulation also has downsides for user privacy that worry crypto’s most dedicated supporters. Finding the right balance between security and anonymity remains an ongoing struggle in the industry.
From a business standpoint, the multi-million dollar loss will deal a blow to the still-young company. But Fixedfloat stated it has the reserves necessary to recover and plans to reimburse the stolen funds using future earnings.
Industry analysts will watch how gracefully Fixedfloat can rebound while reestablishing trust and hardening defenses. Major hacks have sunk exchanges before, but others like KuCoin and Bitfinex have managed to stay afloat despite large breaches.
A Reminder to Bolster Defenses
While far from the biggest crypto hack on record, the Fixedfloat case exemplifies the persistent security threats exchanges face. Sophisticated hackers are drawn to cryptocurrency platforms by the promise of huge payouts in digital assets that can quickly be laundered.
Even fundamentally secure exchanges can be targeted through secondary infrastructure vulnerabilities, like unpatched servers and insecure APIs. The pecuniary impact on Fixedfloat shows how one successful intrusion can instigate a costly chain reaction.
The industry must continue working diligently to identify and eliminate potential attack vectors. Exchanges should undergo frequent audits, maintain bounty programs, and keep systems patched and up to date. Utilizing cutting-edge monitoring tools and AI can also help thwart emerging hacking techniques.
Perhaps this breach will serve as a teachable moment and reminder for Fixedfloat and its peers to further harden defenses. For an industry attempting to gain mainstream trust and adoption, effectively combatting cybercrime remains imperative. If exchanges cannot provide adequate protection for user funds, the path to wider acceptance will remain arduous.
The Fixedfloat hack demonstrates that constant vigilance is required, even as the industry matures. By bolstering security and collaborating across the ecosystem, cryptocurrency platforms can work to prevent billion-dollar heists from becoming the norm once more.
